Skip to content

jdk: 21.0.7+6 -> jdk-21.0.8+9#432442

Closed
deftdawg wants to merge 1 commit intoNixOS:masterfrom
deftdawg:openjdk21-CVE-2025-30749
Closed

jdk: 21.0.7+6 -> jdk-21.0.8+9#432442
deftdawg wants to merge 1 commit intoNixOS:masterfrom
deftdawg:openjdk21-CVE-2025-30749

Conversation

@deftdawg
Copy link
Contributor

@deftdawg deftdawg commented Aug 10, 2025
edited
Loading

21.0.7+6 is effected by CVE-2025-30749 which appears on Grype scans; 21.0.8 is listed as a fixed version.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

Ping maintainers: @edwtjo @Infinidoge @chayleaf @FliegendeWurst @tomodachi94

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. 6.topic: java Including JDK, tooling, other languages, other VMs 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Aug 10, 2025
@tomodachi94 tomodachi94 added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Aug 11, 2025
@deftdawg deftdawg force-pushed the openjdk21-CVE-2025-30749 branch from 6447462 to 25600c9 Compare August 18, 2025 23:14
@deftdawg deftdawg force-pushed the openjdk21-CVE-2025-30749 branch from 25600c9 to bd3dfd0 Compare August 18, 2025 23:16
@deftdawg
Copy link
Contributor Author

deftdawg commented Aug 18, 2025
edited
Loading

jdk-21.0.8-ga doesn't parse with an error about how 'a' is not a valid numerical value for VERSION_BUILD (presumably from -ga) failing at the configure step similar to this error adoptium/temurin-build#3911

Bumped version to jdk-21.0.8+9 for retest

EDIT: this tag worked (it's the same commit as the -ga tag also)

@deftdawg deftdawg changed the title jdk: 21.0.7+6 -> jdk-21.0.8-ga jdk: 21.0.7+6 -> jdk-21.0.8+9 Aug 18, 2025
@deftdawg deftdawg mentioned this pull request Aug 20, 2025
Merged
13 tasks
@deftdawg
Copy link
Contributor Author

deftdawg commented Aug 21, 2025

cc: @NixOS/java -- This patch addresses a CVE from a few weeks ago, can it be merged?

Any folks who encounter problems rebuilding with maven maybe hitting this bug that was discovered during the update process at my company: #435467

@msgilligan msgilligan requested review from Infinidoge and msgilligan and removed request for Infinidoge and msgilligan August 21, 2025 18:52
@msgilligan
Copy link
Contributor

msgilligan commented Aug 21, 2025

I'm closing this as a duplicate of PR #426903. I will try to review that one.

@msgilligan msgilligan closed this Aug 21, 2025
@nixpkgs-ci nixpkgs-ci bot removed the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Aug 21, 2025
@msgilligan
Copy link
Contributor

msgilligan commented Aug 21, 2025

This patch addresses a CVE from a few weeks ago, can it be merged?

From the CVE:

Difficult to exploit vulnerability allows

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code

So probably doesn't affect too many Nixpkgs components if any at all.

@deftdawg
Copy link
Contributor Author

deftdawg commented Aug 21, 2025

So probably doesn't affect too many Nixpkgs components if any at all.

There were 3 highs (CVE-2025-30749, CVE-2025-50106, CVE-2025-50059) and a medium CVE (CVE-2025-30754) relating to 21.0.7, I just picked the first one on the list.

The company I work for has a policy of addressing "high" vulnerabilities within a week of when a fixed version is available, I personally recognize the risks are often theoretical, but I have to make an attempt.

Anyway thanks for taking the time to review the new PR. 🍻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: java Including JDK, tooling, other languages, other VMs 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@deftdawg @msgilligan @tomodachi94